Switch to JSON from yaml

2026-02-08 08:13:35 +01:00 · 2020-10-01 17:37:57 -04:00
parent 744a8bca73
commit 9d9d3aac53
7 changed files with 25 additions and 33 deletions
--- a/salt/soc/files/soc/alerts.actions.default.json
+++ b/salt/soc/files/soc/alerts.actions.default.json
@@ -1,6 +1,4 @@
-soc:
-  hunt: 
-    actions: [
+[
          { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" },
          { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" },
          { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" },
--- a/salt/soc/files/soc/alerts.queries.default.json
+++ b/salt/soc/files/soc/alerts.queries.default.json
@@ -0,0 +1,9 @@
+[
+  { "name": "Group By Name, Module", "query": "* | groupby rule.name rule.uuid event.module event.severity_label" },
+  { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name rule.uuid network.community_id event.severity_label" },
+  { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name rule.uuid event.severity_label" },
+  { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name rule.uuid event.severity_label" },
+  { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name rule.uuid event.severity_label" },
+  { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name rule.uuid event.severity_label" },
+  { "name": "Ungroup", "query": "*" }
+]
--- a/salt/soc/files/soc/alerts.queries.default.yaml
+++ b/salt/soc/files/soc/alerts.queries.default.yaml
@@ -1,11 +0,0 @@
-soc:
-  alerts:
-    queries: [
-          { "name": "Group By Name, Module", "query": "* | groupby rule.name rule.uuid event.module event.severity_label" },
-          { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name rule.uuid network.community_id event.severity_label" },
-          { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name rule.uuid event.severity_label" },
-          { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name rule.uuid event.severity_label" },
-          { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name rule.uuid event.severity_label" },
-          { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name rule.uuid event.severity_label" },
-          { "name": "Ungroup", "query": "*" }
-        ]
--- a/salt/soc/files/soc/alerts.actions.default.yaml
+++ b/salt/soc/files/soc/alerts.actions.default.yaml
@@ -1,6 +1,4 @@
-soc:
-  alerts:
-    actions: [
+[
          { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" },
          { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" },
          { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" },
--- a/salt/soc/files/soc/hunt.eventfields.default.json
+++ b/salt/soc/files/soc/hunt.eventfields.default.json
@@ -1,6 +1,4 @@
-soc:
-  hunt:
-    eventfields: 
+{
          "default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "event.dataset" ],
          "::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ],
          "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ],
@@ -42,4 +40,5 @@ soc:
          ":strelka:file": ["soc_timestamp", "scan.exiftool.OriginalFileName", "file.size", "hash.md5", "scan.exiftool.CompanyName", "scan.exiftool.Description", "scan.exiftool.Directory", "scan.exiftool.FileType", "scan.exiftool.FileOS", "log.id.fuid" ],
          ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ],
          ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
-          ":windows_eventlog:": ["soc_timestamp", "user.name" ] 
+          ":windows_eventlog:": ["soc_timestamp", "user.name" ] 
+          }
--- a/salt/soc/files/soc/hunt.queries.default.json
+++ b/salt/soc/files/soc/hunt.queries.default.json
@@ -1,6 +1,4 @@
-soc: 
-  hunt: 
-    queries: [
+[
          { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"},
          { "name": "Log Type", "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"},
          { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name"},
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -2,11 +2,11 @@
 {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %}
 {%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %}
 {%- set FEATURES = salt['pillar.get']('elastic:features', False) %}
-{%- import_yaml "soc/files/soc/alerts.queries.default.yaml" as alerts_queries %}
-{%- import_yaml "soc/files/soc/alerts.actions.default.yaml" as alerts_actions %}
-{%- import_yaml "soc/files/soc/hunt.queries.default.yaml" as hunt_queries %}
-{%- import_yaml "soc/files/soc/hunt.actions.default.yaml" as hunt_actions %}
-{%- import_yaml "soc/files/soc/hunt.eventfields.default.yaml" as hunt_eventfields %}
+{%- import_json "soc/files/soc/alerts.queries.default.json" as alerts_queries %}
+{%- import_json "soc/files/soc/alerts.actions.default.json" as alerts_actions %}
+{%- import_json "soc/files/soc/hunt.queries.default.json" as hunt_queries %}
+{%- import_json "soc/files/soc/hunt.actions.default.json" as hunt_actions %}
+{%- import_json "soc/files/soc/hunt.eventfields.default.json" as hunt_eventfields %}
 {
  "logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
  "server": {
@@ -47,10 +47,11 @@
        "relativeTimeValue": 24,
        "relativeTimeUnit": 30,
        "mostRecentlyUsedLimit": 5,
+        "eventFields": {{ hunt_eventfields }},
        "queryBaseFilter": "",
        "queryToggleFilters": [],
-        "queries": {{ hunt_queries.soc.hunt.queries | json }} ,
-        "actions": {{ hunt_actions.soc.hunt.actions | json }} ,          
+        "queries": {{ hunt_queries }} ,
+        "actions": {{ hunt_actions }} ,          
      },
      "alerts": {
        "advanced": false,
@@ -70,8 +71,8 @@
          { "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true },
          { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true }
        ],
-        "queries": {{ alerts_queries.soc.alerts.queries | json }},
-        "actions": {{ alerts_actions.soc.alerts.actions | json }}        
+        "queries": {{ alerts_queries }},
+        "actions": {{ alerts_actions }}        
      }        
    }
  }